Categories

8 Ways to Protect Web Forms from Spam

Posted on: May 21, 2017 by Dimitar Ivanov

I'm sure that as site or blog owner you receive tons of spam comments.
Besides being so annoying the spam comments can hurt your ranking in SERPs.
Through the years are used different prevention techniques trying to stop
the spam. This article aims to summarize most effective anti-spam methods.

Captcha

This is probably the most popular method fighting the SPAM of web forms.
It works as following: a random text or more complex expression is generated
and stored in a session, then the text is drawn over an image included in the
form and visitors must input that text prior to submit the form.

This technique relies on assumption that this is an easy task for humans,
unlike the computers. That was true in the past but the quick evolve of the
OCR programs helps spammers to solve the captcha.

However, to build your own captcha you need to have some knowledge of a
server-side language (PHP, Python, Ruby, etc.)

Honey pot

This method relies on the assumption that SPAM software doesn't recognize
CSS and/or JavaScript. The "honey pot" technique
use a non-visible field to fool the less-intelligent robots whos automatically
fills out all the input fields prior to submit the form data for further
processing.

So, if visitors can't see and fill the non-visible input fields we can
consider that the form submission with not empty fax is spam.

<?php
// comment.php
if (!empty($_POST['fax'])) {
// It's SPAM
}
?>

CSRF token

Synchronizer token pattern uses a unique token that is embedded into
the HTML forms and verified on the server side. The CSRF token should
be a random value that is hard to predict, preferably generated by a
cryptographical algorithm. This is how to build a CSRF token:

IP Filter

Create and regularly update a list with IP addresses from which you've
received spam already. Then use the list to filter requests to your web forms.
For more advanced and flexible IP filtering use regular expressions.

Content Filter

Create and regularly update a list with words considered as spam. Well-known
topics include medicines, gambling, adult content, weight loss, etc. Then
use regular expressions to find and block such a content.

Origin header

The Origin header shows where the request originates from.
Its value includes only the scheme, server name, and the port number (only
if the resource is served by a non-standard port). Unlike the Referer
header, the Origin header does not include any path information.
It is sent with CORS
requests, as well as with POST requests. So, if the value of Origin header
differs from your hostname the request is probably a spam.

Hosted service

A plenty number of third-party hosted anti-spam services are available.
Most notable of them are Google reCaptcha
and Akismet (Wordpress only).

Conclusion

Nowadays the spammers become more and more aggressive and the fight against
it is a much difficult. That imposes to use as much as possible methods to
protect a web form from spam. The fact that
HTTP headers can be easily sent using the cURL or
XmlHttpRequest should not discourage you to continue using
them. They still have a place as an additional layer of defense to your programs.

If you have a question about the techniques for preventing SPAM,
please leave a comment below. And do not be shy to share this article. Thanks so much for reading!

Dimitar Ivanov

Dimitar Ivanov is a senior LAMP developer, javascript engineer, web performance-obsessed.
He is programming since 2003 and loves to build web applications.
You can find him on Twitter,
LinkedIn and
GitHub.

Subscribe to our newsletter

Join our mailing list and stay tuned! Never miss out news about Zino UI, new releases, or even blog post.